Security breaches and password leaks happen constantly on today’s Internet. LinkedIn, Yahoo, Last.fm, eHarmony — the list of compromised websites is long. If you want to know whether your account information was leaked, there are some tools you can use.
Update: We now recommend using Have I Been Pwned? to see if your account passwords have leaked online.
These leaks often lead to many compromised accounts on other websites. However, you can protect yourself by using unique passwords everywhere — if you do, password leaks won’t be a threat to you.
Image Credit: Johan Larsson on Flickr
Why Password Leaks Are Dangerous
Password leaks are so dangerous because many people use the same password for multiple websites. If you register for a website with your email address and provide the same password you use for your email account, that email/password combination may be present on a list somewhere.
Crackers can then use this email/password combination to gain access to your email account. Even if you use a different password for your email account, they may try the email or account name and password combination on other websites to gain access to your other accounts.
For example, crackers recently compromised over 11,000 Guild Wars 2 accounts. They didn’t use keyloggers or compromise the game’s servers — they just tried logging in using email address and password combinations found on lists of leaked passwords. Players who reused a password that had already been leaked were compromised. The same will happen for other services that crackers want to gain access to.
How To Protect Yourself
To protect yourself against future leaks, ensure you use different passwords on each website — and ensure they’re long, strong passwords. Otherwise, a compromise at one website could lead to your accounts elsewhere being compromised. While compromised websites will generally inform you of the leak and have you change your password immediately, this won’t help much if you’re using the same password on many other websites.
Remembering unique passwords for all the different websites we use can be difficult, which is why password managers can be so useful. We like LastPass, but many people swear by KeePass, which keeps you in control of your data.
Checking If Your Password Was Leaked
If you’re curious whether your email address appears on one of these leaked password lists, you don’t have to find a shady download site and download the lists yourself. Instead, you can use a tool that quickly checks for you.
PwnedList is a good one. LastPass now uses PwnedList to monitor whether LastPass account email addresses become compromised. For example, if your LastPass account email address is firstname.lastname@example.org, you’ll get a notification if email@example.com appears on any lists of leaked email addresses and passwords. This only applies to the single email address you use for your LastPass account, not every address you have in your LastPass vault.
If you want to check an email address manually, you can use PwnedList’s website. Plug in an email address and PwnedList will tell you whether it appears on any leaked lists. (Note that you can also enter SHA-512 hashes of your email address if you don’t trust PwnedList with your email address — you can use a tool such as this one to generate a SHA-512 hash.)
If your email address does appear on a list, don’t panic — this just means you should ensure you’re not reusing the same passwords on multiple websites. If you use the same password everywhere and your email address appears on one (or more) of these lists, you have a problem — you should change your passwords immediately.
LastPass also hosts some tools that allow you to see whether a specific password appears on the leaked lists of LinkedIn or Last.fm passwords. You can actually plug passwords in and see if someone was using them. The results show how weak many passwords are — plug in “password123” and you can see that at least one person was using it as their LinkedIn password.
Your email account is the center of your online security — websites generally allow you to change your password as long as you can click a link in an email. If someone else gains access to your email account, it can be game over for your other accounts. Read How To Recover After Your Email Password Is Compromised for more tips on protecting yourself.